B (4:17)

That's it. I mean, that's the one, two punch. You got it with the evidence. You have something that the agent can make the right decisions. And then what we have done is with our design partners, we have built this interface that now the early customers that weren't design partners that are seeing it for the first time are going like, wow. We actually had customers go like, wow. That's the power of investigator right there. Like they, you know, it was this like, you know, very natural, organic response. And as a product manager, you kind of throw your hands up in the air and smile and celebrate a little bit. Because we're not just saying an end result of malicious or likely malicious, and we're not just saying that. Plus a few sentences on why we have key findings supporting that final analysis as to why it thought that. And then those key findings have the actual evidence collected by the tools. And so if, let's say four tools, tools being the things that agents use to go collect data. If one of them brought back a table of the top talkers and another one brought back its DNS activity and the response codes and all of these sort of things, all of that evidence is going to get brought back up and it's going to explain the agent came to this conclusion because of this data below. And you can go and see the logs and the tables that it collected. And so you don't have to take us at our word. It's 100% inspectable. You can even view the playbook that it was using to kind of generally follow and think through how it was going to investigate this. And so that ability to have a truly agentic system that can think and reason and come up with novel findings, we don't determine what it finds. There's no fixed list of you can find 50 different things. It can find anything it wants. And by the way, it has found out that it's in a lab before that has come up as one of the findings is, I think it might be in a lab. I think this might be a simulation. And it was, of course, because we were testing it. So that combination of being able to bring that and show that to the analysts so that they don't have to just take our word for it, but we actually build that trust. That's the one, two punch. Exactly.

A (6:29)

As you said, what you said, there's interesting around the importance of evidence and that being sort of the foundation of what corelight does. Am I right in saying that that's so important, especially in an AI world? Because everyone knows these models are indeterministic. They'll go off on a bit of a spacewalk sometimes, so they're not naturally grounded. So are you saying the strength here is the core light brings the grounding because you've got that evidence based, that fact based sort of, I guess, corpus of knowledge, and then the agent is able to really do what it does, but operate much, I guess, with a much higher rate of good quality outputs and higher signal versus noise. Because you've got that evidence behind it.

B (7:12)

Right? Well, there are solutions out there where they're providing more, where those other vendors are focused more on detection and they don't necessarily have the sort of what we often call the flight recorder to be able to go back and look at what happened and really play back the scenario. And so that ability really shows up because how this works, the very quick kind of technical explanation is that the agent is using lots of tools to go back and piece together the history and then it produces what we call key findings. Here are some kind of highlights that we think the analysts should zoom in on that support the end kind of determination of is this likely malicious or is it likely benign? And we see it in the findings and so we can see things like it seeing certain activity, but then looking at the history of that machine and going this looks like normal activity that's actually in line with the other things that this machine does on a routine basis. And so therefore, there is a general evidence pattern that would say that this is normal administrative behavior. You can't do that if you don't have the history to go back and see that pattern.

A (8:33)

Right? Because it's one thing to say to a model, hey, I'm seeing this thing being run or this signal being emitted, does this look bad? And they'll be sort of looking at their body of knowledge baked into that LLM to say, well, that thing alone does look bad. Does look bad, right? RMRF bad, not bad. But I think what you're saying is you got to look at a much wider window of time to see those behaviors, to understand truly, is RMRF bad or is it actually that's what that thing does regularly because it happens to be doing a particular scheduled task. Got that right.

B (9:06)

100% right. The living off the land binary kind of attacks where you increasingly see these more sophisticated attackers trying to blend into the environment. And so we have advanced detections that catch anomalies. But then the question is still, okay, a file is being transferred to a computer that this computer doesn't usually send files to, but is that bad? We don't know. Or an RDP session is happening between these two computers in a way that seems a little suspicious, but is that bad by itself? It's not necessarily. It could be fine. And so you need that supporting evidence. You can't just go off the detection and you don't know what you're going to need in advance to answer these questions. And so you really have to be kind of collecting everything. And that's what we do. And that's why people have always loved us as humans, is we just proactively collected everything, not knowing what you'd really need when the time came. And then that's just turning out to be really valuable for agents too.

A (10:10)

And from a technical point of view like this makes a ton of sense, right? You've got so much data, you've got so much as you said evidence, and you can put that all together. It does an amazing job of creating a long, I guess, pattern of life for a machine to establish whether it's doing something new or something odd. But the Achilles heels of AI as we know it today is the context window. And is that how are you managing that challenge?

B (10:34)

You actually in some ways have to be glad that these things exist because they are what allow you to build something special. If there weren't hard problems, everything would feel the same. And so the fact that there are some hard problems for us to go out there and solve give us a place to shine. And so that was a hard problem, and we feel like we've been able to meet the challenge. And so, you know, I could talk about that for the whole podcast, but the short answer is, you know, we built a bunch of tools that the agent can use that are specifically designed to take huge amounts of data. I mean, you have to realize that for any one machine in a given day, I mean, we could be collecting thousands, hundreds of thousands, maybe even millions of logs, probably millions of logs.

A (11:22)

And just give. Give us a sense of like, what disk space, like what. What does that actually translate to?

B (11:27)

I mean, we have customers where we're collecting terabytes of data a day for that one customer. Wow.

A (11:32)

Okay.

B (11:34)

So then the tools are very specifically designed to come back with summaries of the data. And so instead of going get me 100,000 logs that we're going to push into the context window, it's go get me a list of the top talkers and summarize by IP address the external connections it's made and maybe even do some sort of join with previous days and filter out the ones that are to get down to essentially new talkers. And so then you can feed it a nice clean table that is much more succinct. And there's two reasons for that. One is that even when you have like a million token context window, there's this context, sorry, concept of context rot, or there's some other acronyms out there for it that are more official. But. And so you have to be careful of even trying to fully utilize the context window. And then you also. We are building our AI actually for our SaaS platform, but we're also delivering AI for customers who are just streaming all of our data straight to their siem, and we're delivering it to them in the form of an MCP server. And so how we architect this has ramifications for them in cost for the tokens that they incur for the MCP version. So we want it to be token efficient.

A (12:59)

Right. And reading through the press release, there was a cheeky sort of line in there that made me grin, sort of throwing shade on other solutions out there saying these proprietary solutions are very closed. And the core light premise around this is you're very open. And I know you guys have a very strong of open source heritage, but I think this actually talks to something different, which is around openness and transparency and introspectability. Talk us through why this is such an important feature for you and you know, what does it ultimately mean for the customer in terms of, you know, the long term benefits they get out of a system like this and I guess their way in which they'll integrate it into their day to day work in the SoC,

B (13:43)

that is very, very important to us. Trust is very important to us. And that's where openness and transparency comes into play. Because you don't get trust if you can't be open about what the analyst did and why it thinks what it thinks. And you don't give them the chance to second guess you. If they can't second guess you, if they can't go back and if it's not easy to validate what we're saying, then you can't build that trust. And so we built the system to be able to allow the user to do that. And a, I mean that is being confirmed in the feedback that we're seeing from customers that that's really, really powerful. But it's also just kind of a core philosophy at corelight. Even before we built AI features, it was part of just how we built the platform. We've always believed that transparency and openness in how the system works and how the detections work. We've always shown how the machine learning models work and that's a really hard task. When we launched our Anomaly engine, it was very hard to be able to make it really clear exactly what it had baselined and what was anomalous versus the baseline. And so we've always taken on the hard task of saying we're going to build a GUI around this that makes it dead simple to understand. First it was our supervised machine learning models, then it was our unsupervised anomaly engine machine models and now it's our agents. So we're just kind of carrying forward that tradition.

A (15:22)

For folks that are listening and have found this interesting, but might not be using Call Light already or might be using Call out and want to find out more about this. In particular, is this feature available now and how can people find out more?

B (15:34)

Yeah, it is available. It's out there. We are like I said, already hearing great feedback. Certainly. Go to the website, fill out a demo form and submit it and we'll be in touch very quickly. Or find me on LinkedIn and send me a note. Some of our design partners are always pinging me saying when's the next version coming out and this update and that feature. So it's out there, and we'd love to show it to you.

A (16:03)

Awesome. Well, David, thank you so much for your time this morning. This has been a really interesting conversation. I've enjoyed it a lot.

B (16:09)

Me, too. Thank you for having me on. It was great.